nanocore

Sharing

Copy URL

Twitter E-mail

General

Target

c8337cbf48070ddbc5e90b7a8269f585_JaffaCakes118
Size

309KB
Sample

240829-epf4lavcnp
MD5

c8337cbf48070ddbc5e90b7a8269f585
SHA1

aa43005bd38fa8e71402276cc5f97a2274f09302
SHA256

4c4286c3e289314f8cbdb1861fa01d3c262aaf066939fb996c7d9f4e73a4e500
SHA512

f97696c9c95ac65724f6dc9d518b08eba2fda8c317d89da521e7de1559bf4359a6dc542ab77f9514bc63075a34520fccf668d9f95601860bb21ac63be7b7e90a
SSDEEP

6144:LEQpl7R9X+hUqX3bc7YJG50JpJ171G3qjmflNiARtgb8gvGLfA:9plt4hUu3g7Y0YpLZGiArY88iY

Score

10^/10

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

chinomso.duckdns.org:7688

Mutex

bed38ea9-13ae-4999-bfd6-9ec5f9de3405

Attributes

activate_away_mode
true
backup_connection_host
chinomso.duckdns.org
backup_dns_server
chinomso.duckdns.org
buffer_size
65535
build_time
2020-12-01T20:47:21.987105436Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
7688
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
bed38ea9-13ae-4999-bfd6-9ec5f9de3405
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
chinomso.duckdns.org
primary_dns_server
chinomso.duckdns.org
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  CHEQUE COPY.exe
- Size
  
  323KB
- MD5
  
  ec067b73f3156aedbd9158f107952eb8
- SHA1
  
  6353de54ce12dfd2cd86a3dc2824c7448157a821
- SHA256
  
  3f6f1635ca9660f24bf4e9527ec6136ed50ad9a8a88e442768143d55eb73a6af
- SHA512
  
  83456705e8bed761fc5091cde0395314968327fd4929cbc79bd4350765328df66fe2ee00d9d66a0b23b1246fe44b19c6f3cb3cd3bbba88e0827442c5e8b79585
- SSDEEP
  
  6144:Lx/MKNJ1v1P/51wTavAPyVCow2do2dZo8bBU2lVWoZmriV:B5T1tPxSPyVDdLP9VBkq
Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  fccff8cb7a1067e23fd2e2b63971a8e1
- SHA1
  
  30e2a9e137c1223a78a0f7b0bf96a1c361976d91
- SHA256
  
  6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
- SHA512
  
  f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
- SSDEEP
  
  192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  l0k0ivt1gwq.dll
- Size
  
  10KB
- MD5
  
  8fec1fe4587680848ab0d0b5f0fd7d62
- SHA1
  
  7192af111e78841f12772d3c82e2be33efaaa28d
- SHA256
  
  553656f7c7bcccf8eff0a2f92d843c194404e5e1a743abc50c3904a1781168fa
- SHA512
  
  254390cdd8565e4a2ef92f3c450228bc470ec09f94d6aabdaaa7115eec5f2c0601f9ba88278b70c4595766a7c42a05be903fcc63444a0e1a119764ab86887bc8
- SSDEEP
  
  192:MeNibu5S6oJROvgAPu8vf1L0HZtbuxw9HqjZ7:E60avgAP3fVSbf5qj
Score

3^/10

discovery
behavioral5 behavioral6